README.md

sflowtool

Print binary sFlow feed to ASCII, or forward it to other collectors.

This tool receives sFlow data, and generates either a simple-to-parse tagged-ASCII output,
or binary output in tcpdump(1) format. It can also generate Cisco NetFlow version 5 datagrams
and send them to a destination UDP host:port, or forward the original sFlow feed to a number
of additional collectors.

Build from sources

Usage examples

If sFlow is arriving on port 6343, you can pretty-print the data like this:

% ./sflowtool -p 6343

or get a line-by-line output like this:

% ./sflowtool -p 6434 -l

In a typical application, this output would be parsed by an awk or perl script, perhaps to
extract MAC->IP address-mappings or to extract a particular counter for trending. The
usage might then look more like this:

Example Output

An example of the pretty-printed output is shown below. Note that every field can be
parsed as two space-separated tokens (tag and value). Newlines separate one field from
the next. The first field in a datagram is always the "unixSecondsUTC" field, and the
first field in a flow or counters sample is always the "sampleSequenceNo" field. In
this example, the datagram held two flow-samples and two counters-samples. Comments
have been added in <<>> brackets. These are not found in the output.

Other ExtendedTypes

The SWITCH, USER and URL extendedTypes may also appear. The SWITCH extendedType provides
information on input and output VLANs and priorities. The USER extendedType provides
information on the user-id that was allocated this IP address via a remote access session
(e.g. RADIUS or TACAS). The URL field indicates for an HTTP flow what the original requested
URL was for the flow. For more information, see the published sFlow documentation at
http://www.sflow.org.

line-by-line csv output

If you run sflowtool using the "-l" option then only one row of output will be generated
for each flow or counter sample. It will look something like this:

The counter samples are indicated with the "CNTR" entry in the first column.
The second column is the agent address. The remaining columns are the
fields from the generic counters structure (see SFLIf_counters in sflow.h).

The flow samples are indicated with the "FLOW" entry in the first column.
The second column is the agent address. The remaining columns are: